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Abstract 

We propose a proof of the security of EPR-based quantum key distri- 
bution against enemies with unlimited computational power. The proof 
holds for a protocol using interactive error-reconciliation scheme. We as- 
sume in this paper that the legitimate parties receive a given number of 
single photon signals and that their measurement devices are perfect. 

1 Introduction 

Quantum key distribution is a cryptographic task that uses properties of quan- 
tum mechanics to allow two legitimate parties to share a secret random number. 
This random number can be used as a key for a symmetric classical cipher to 
establish a perfectly secure communication channel between the legitimate par- 
ties. The first quantum key distribution protocol, called BB84, was proposed 
by Bennett and Brassard It was followed by other protocols, such as [p| p| 
and the security of these protocols were analysed [§, ^, ^, 0, ||, 
unconditional security of quantum key distribution - i.e. security against en- 
emies with unlimited computational power - was obtained by Mayers |l3j 
for the BB84 protocol and many notions and techniques introduced in the proof 
are used in the present paper. Other proofs of the unconditional security of 
BB84 followed |^, 0, The security of EPR-based quantum key 

distribution protocol proposed by Ekert, E91 has also been proved 

in |2^, and the security of entanglement-based quantum key dis- 

tribution using untrusted apparatus has been proved in ||2l| , |2^ . In this paper, 
we propose another proof of the security of E91. The protocol is proved secure 
against enemies with unlimited computational power. However, it is assumed 
that both legitimate parties receive an ensemble of a given number of single 
photons. Furthermore we assume that the efficiency of their detection unit is 
one, which is far from true in any practical implementation of quantum key 
distribution today. The results in this paper therefore do not apply to practi- 
cal implementations of EPR-based quantum key distribution. Nevertheless it 
is hoped that techniques employed in this paper can be generalised to prove 
security of practical EPR-based quantum key distribution protocols. 
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2 Definition of security 



We adopt the same definition of security as described in [|T^, p3| . 

The role of key distribution between two distant legitimate parties, tradi- 
tionally called Alice and Bob, is to generate a shared random number, called 
the private key, that is guaranteed to be known only by the legitimate parties. 
A non-authorised party, traditionally called Eve, should not be able to obtain 
any information about the private key, whichever eavesdropping strategy she 
might adopt. 

However, most quantum key distribution protocols do not allow Alice and 
Bob to share a private key in all circumstances. It is only when some conditions 
are satisfied that Alice and Bob can ascertain a potential eavesdropper will only 
have negligible information about the key. The protocol therefore provides a 
validation test that tells whether a key can be generated with unconditional 
privacy. A key is created only if the test is passed. Otherwise the session is 
abandoned. Nevertheless, as in ^ we will adopt the convention that when 
the validation test is not passed, Alice chooses a random value for the private 
key with uniform probability distribution. As a result, the private key is defined 
regardless the outcome of the validation test, but, of course, when the validation 
test is not passed. Bob does not share the key with Alice. 

Finally, we consider families of protocols for which a parameter quantify- 
ing the amount of a resource used in a protocol characterises its security. Such 
parameter is called security parameter. Usually, the higher the security parame- 
ter's value is, the higher is the level of security, but also the amount of a resource 
required by the protocol. We now give a formal definition of security. 

A random variable will always be denoted by a bold letter, and values taken 
by this random variable by the corresponding plain letter. Only discrete random 
variables will be considered in this paper. The probability distribution of a 
random variable x is denoted by Px, i.e. Pxix) = Pi{x ~ x) is the probability 
that X takes the value x. The joint distribution of two random variables x 
and y is denoted by Pxy, i.e. Pxyix,y) = Pt(x — x,y = y). The conditional 
probability of x given that y takes a value y is denoted by P^; | y^y whenever 

Py{y) > 0, i.e. Px\y=yix) = Pr(a; = x\y = y) = ^p^^^ whenever Py{y) is 
positive. Let / be a function defined on the image of x. When no confusion is 
possible, the notation / will be adopted to denote the random variable f{x). 

We will denote by k the random variable giving the private key generated 
in a key distribution session. The key is a string of m bits where m is a positive 
integer specified by the legitimate users. That is k takes value in {0, 1}™. 
Given an eavesdropping strategy chosen by Eve, we denote by v the random 
variable giving collectively all data Eve gets during this key distribution session. 
Henceforth, given the eavesdropping strategy adopted by Eve, v is called the 
view of Eve, and we will denote by V the set of all values v may take. 

We adopt the following definition of security for quantum key distribution 
protocols. 

Definition 1 Consider a quantum key distribution protocol returning a key k £ 
{0, 1}™ regardless the outcome of the validation test, where the length of the 
key, m, is fixed and chosen by the user. We say that the protocol offers perfect 
privacy if and only if: 
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the protocol is parametrised by a parameter N taking value in N called the 
security parameter, and 

there exists a function e : N x N — > R"*" such that e{N, m) is vanishing 
exponentially as N grows (i.e. there exist a > 0, P > 0, Nmin S N and 
a function f : N ^ R+ such thatMN > Nmin, e{N,m) < e'""^^' f{m)) , 
and 

there exists a function Nq : N — > N .such that, for any strategy adopted 
by Eve, 

Vm, ViV > Nairn), 

H{k,\v) > to — £{N, to) 



where v is Eve's view given her strategy, and 

K,f : Ps„(K,f )>0 

is the Shannon entropy of the key k given Eve 's view v . 

Another important aspect of security of key distribution protocols is the in- 
tegrity or the faithfulness of the distributed key. We must require that whatever 
Eve does, it is very unlikely that Alice and Bob fail to share an identical private 
key while the validation test is passed. However, the integrity of the protocol 
depends mainly on the efficiency of the error detection/correction scheme that is 
used. This point is discussed in Appendix, but the reader is referred for instance 
to [p7[ for a more complete explanation. 



3 The protocol 

We describe the quantum key distribution protocol under consideration. It is a 
variation |]l9j of the protocol originally proposed in Q . The protocol is designed 
to use classical error-reconciliation schemes like the interactive scheme proposed 




Protocol setup 

Alice and Bob specify: 

• TO, the length (in bits) of the private key to be generated. 

• e, the maximum threshold value for the error rate during the quantum 
transmission (e < 1/4). 

• T, a security constant such that < + r < 1. 

• the security parameter r. It must be large enough so that Alice and 
Bob can find a binary matrix K of size to x r such that any linear com- 
bination of rows of K that contains at least one row of K has weight 
greater than dx = (^jz^ + rj r (i.e. min-^^p .^^^^^^(^(f^ii:)) > dx 
where for any vector y, w{y) is the weight of y, that is, the number 
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of non zero entries in y). Alice and Bob choose one such matrix K. 
Shannon's coding theorem |Q tells that for asymptotic values of to, 
such matrix can be found if r obeys the inequality: 

-<l-h[- + - 

r \ 1 — e 2 

where h{e) = — elogj e— (1 — e) log2(l — e) is Shannon's binary entropy. 

• An error reconciliation scheme between Alice and Bob such that: 

— it tells, with high probability of correctness, whether more than 
es errors are present in a string of s bits, where s — 

— if there are less than es errors in the string, the scheme corrects 
these errors, at least with high probability of success, 

— only positions of the errors are possibly disclosed publicly. In 
particular the scheme should disclose no information about par- 
ities of the reconciled string. 

The error reconciliation can be a probabilistic scheme for which an 
upper-bound on the probability of failure can be specified by Alice 
and Bob. One can achieve such a task by first estimating the error 
rate on a small randomly chosen proportion of the string and then 
by using for instance the interactive error-reconciliation scheme pro- 
posed in ||2^. In these processes, the exchanged parities or bits should 
be encrypted with the one-time pad method ||^, |lOj. A basic expla- 
nation of this scheme can be found in Appendix A, but the reader is 
referred to ||2^ for a complete description. The above requires that 
Alice and Bob share beforehand a secret private key for the one-time 
pad encryption. According to Shannon's coding theorem, for asymp- 
totic values of s, such probabilistic error-reconciliation is possible if 
the entropy^ q (in bits) of the previously shared private key obeys 
the inequality: 

q > sh{e). 

• n, the number of pairs of photons to be sent to the legitimate parties. 



where ts is a small but strictly 



A good choice for n is 
positive constant. 

Quantum transmission 

• A source sends a sequence of n photons to Alice and another sequence 
of n photons to Bob. It is assumed that ideally, for each i E {1 . . . 7i}, 
the source emits a pair of photons in the state: 

, ^ |0) + |0)+ + |1) + |1) + 

and that Alice's i-th photon is the first photon of this pair, and Bob's 
j-tli photon is the second photon of this pair. The kets | 0)+ and 



^That is, the length of the previously shared key if it is uniformly distributed. 
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1 form an orthonormal basis + of the Hilbert space describing the 
polarisation of one photon. The kets |0)x = ^ ^'^'^ I l)x = 

^ °^+^"'"^''' form its conjugate basis x . 

However, the source needs not to be trusted. In particular, it can 
be under control of a possible eavesdropper. The only assumption is 
that Alice and Bob receive a sequence of n single photon signals on 
each side. 

• We assume that the measurement devices of Alice and Bob have 
efficiency one. For each i e {1 . . . n}, 

1. Alice picks randomly a basis G {+, x} with uniform probabil- 
ity distribution. Alice measures her i-th photon in the basis a^, 
obtaining the outcome € {0,1}, corresponding to the state 

I "i)a,- 

2. Similarly, Bob picks randomly and independently of Alice a basis 
hi G {+, x} with uniform probability distribution. Bob measures 
his i-th photon in the basis 6^, obtaining the outcome € {0, 1}, 
corresponding to the state | I3i)bi- 

Sifting 

We denote by a = (ai, 02, . . . ,a„), h = {61, 62, . . . , 6„), a = (ai, ^2, . . . , a„) 
and /3 = (/3i, /32, • ■ ■ , /3n) the outcomes of the quantum transmission. For 
any vector y = {yi, 2/2, ■• • , Un) in {0, 1}" or {+, x}", and for any subset 
X of {1 ... n}, we denote by yx the restriction of y on X. 

Alice and Bob compare publicly their bases a and b. We denote by d the 
vector in {0, 1}" such that for any i S {1 . . .n}, = 1 if and only if 
ai = hi. If the number of indexes i € {1 . . . n} such that = hi is greater 
than or equal to s (i.e. 'w{d) > s) then the sifted set S is defined as the 
set of the first s such indexes. Otherwise the validation test is failed. The 
bit strings as and Ps are usually referred to as the sifted keys. 

Error correction 

Alice and Bob perform the error correction on their sifted keys as and 
Ps as specified in the protocol setup. We define the error set E as the 
set of indexes in 5* in which an error is found, that is, ai ^ j3i. Likewise, 
we define the error vector e as the vector in {0, 1}* giving the positions 
of the errors (Vi € {1, . . . , s}, = 1 if and only if ^ We denote 
by e the size of the set E, i.e. e = \E\ = w{e). The validation test is 
passed if e < es, otherwise it is failed. If the validation test is passed, then 
Alice and Bob define the reconciled set R as the set of the first r indexes 
i G S\E^. Therefore \R\ = r and Vi E R, Oi — hi and ai — Pt. Alice and 
Bob obtain an identical string of bits a^ G {0, 1}'', called the reconciled 
key. 

Privacy amplification 

The private key is defined as: 

1. K = Kur (mod 2) if the validation test is passed. 

^ Note that \S\E\>r \{ the validation test is passed. 
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2. an TO-bit string k picked randomly by Alice with uniform probability 
distribution each time the validation test is failed. 

4 Privacy of the protocol 

The main result of this paper is stated. 

Property 1 The protocol described above offers perfect privacy: for any eaves- 
dropping strategy chosen by a possible eavesdropper, the conditional entropy of 
the private key k given the eavesdropper's view v is bounded from below by: 

H{k\v) > m - 2 (^m + (0{r) + 2^%)) , 

where 

0(r) = 2~(^^''(^~w^))*''. 

The above bound applies for any value of the security parameter r such that 
the matrix K specified in the protocol exists. 

The protocol uses previously shared private key for the error reconciliation. 
A net gain in shared private bits is achieved if m is greater than the number 
of the secret bits used during error reconciliation. For asymptotic values of m, 
we can take arbitrarily small values for the security parameter and a net gain 
in private bits is obtained if m > sh{e) ~ Yz^/i(e)- We have seen that privacy 

amplification is possible if ^ < 1 — ft. ^jz:^^. Therefore, a net gain in shared 
private bits can be obtained for asymptotic values of m if: 

l-/.(^)-^Me)>0. 

5 Proof of the privacy 
5.1 Notations 

We define the notations used throughout the proof. 
Classical data 

We denote collectively by C = (o, 6, a, /3) the classical data Alice and Bob 
generate during the protocol (after the setup). Note that other variables 
Alice and Bob generate during the protocol can be deterministically de- 
rived from C. We denote by P = {a,d,e) the data that are publicly 
announced by Alice and Bob during the protocol. Recall that specifying 
a and d is equivalent to specifying a and b. For any possible P, we denote 
by Cp the set of values for the classical data that are compatible with the 
public announcement of P. That is, for a given P = {a,d,e), 

Cp = {C = (a', 6', a', /?') : a' = a, 

Vi, 6^ = Qi if di = 1, b[ Ui if = 
Vi GE,a',^ I3[ and \/i£S\E, a', = I3[ 
where S and E are given by d and e.}. 
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Given a possible P and a value for the private key k, wc define Cp,/? as 
the set of values for the classical data that are compatible with the public 
announcement of P and generation of k for the private key. That is, for a 
given P = {a,d,e), 

Cp,H = {C = {a',b',a'J') ■.a! = a, 

Vi, b'i = tti if di = 1, b'i ^ ai a di = 

Vi e E, a- ^ /?■ and yieS\E, ol^ = /3- 
ii'a'^ = K (mod 2), 

where 5, E and R are given by d and e.}. 

Finally, we denote by V the set of all possible public announcements for 
which the validation test is passed. That is, 

■p = {P = (a, d, e) : > s and e < es}. 

For any vector x and any symbol A, w{x) is the number of non-zero 
entries, and wa{x) is the number of entries with symbol A. For any vector 
X e {0, 1}", we denote by -^x the vector whose i-th entry is 1+Xi (mod 2) 
for alH e {1 . . . n}. Finally, we denote by T the subset S \{E U R), and 
by t the size of T. 

Bell states 

For each i e {1 . . .n}, we define the Bell basis {| 0),, | | 2),, | 3)i} of 
the i-th pair of photons as: 

|0)+,,|0)+.. + |l)+,,|l)+,, 

|0)+,,|0)+,,-|l)+,,|l)+,, 

|0)+,^|l)+,^ + |l)+,^|0)+,j 
V2 

|0)+,.|l)+,.-|l)+,.|0)+,. 
^/2 

where the first and the second state in the product states in the rhs. cor- 
respond to Alice's and Bob's i-th photon's polarisation state, respectively. 
Tensor products are implied when we consider state of several photons, 
that is, I a, g = ai)ai,i\ Pi)bi,i and | c) = Cj),. For any sub- 
set X of {1 . . .n}, I ax,/3x)ox,6x = ®iex| ai)ai,i| ft)6i,i- 
Given a basis a G {+, x}, we define Xa as the set of indexes of Bell states 
that are compatible with Alice and Bob measuring in the same basis a and 
sharing the same bit value. Likewise, we define Ya as the set of indexes of 
Bell states that are compatible with Alice and Bob measuring in basis a 
and not sharing the same bit value. That is, Xj^ = {0,1}, X^ = {0,2}, 
y+ = {2,3} and Yx = {1)3}. Given the choice of bases a and a set 
A C {l...n}, we define Xa^, as {c^ € {0,1,2,3}-^ : Vi € A, q € XaJ 
and as {ca G {0, 1, 2, 3}^^ : Vz G A, Cj G Ya^}- Given a reconciled set R 



|0)i = 
= 

|2)i = 
|3)i = 
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and the choice of bases on R, for any Cj, G Xa,^, we will denote by 7 the 
unique 7 G {0, l}"" such that for each i G {1, . . . , r}, Cj = (H-u'xai)7i, i-e. 
Cj = 7i if tti = +, and Ci = 27, if = x. For any vectors x, y & {0, 1}'', 

we define x-yasx- y^= Yll^i ^iUi- Given R and a^, for any Cr G ^aR, 

we have the identity aR{aR,aR \cr) = ^~]^r ^ ■ 

5.2 Model of measurements 

A mathematical model of measurements on the quantum state generated by the 
source is given. The source can be under complete control of Eve, as long as 
it sends n single photons to both Alice and Bob. In such a scenario, Eve may 
entangle a probe of any dimension to the photons she sends to Alice and Bob 
which are in any state Eve wants. We write the state of these n couples of 
photons and the probe in the Bell basis as follows: 

p = J2\Ec){Eff\<^\^{^\, 

where the states | Eg) are states of Eve's probe that are possibly nor orthogonal 
nor normalised. The positive operator giving the probability that Alice and Bob 
get C = (a, 6, a, (3) as their classical data is simply: 

i^c = Pa(a)Pg(&)|a,/3)5,,-,6(a,/3|, 

where Ps(a) = 1/2" and Pg(6) = 1/2" for any choice of a and b. Note that 

Pa(a)Pb(&) = Pa(a)Pd(d) where Pj = 1/2". 

The positive operator giving the probability that Alice and Bob publicly 
announce P = {a,d,e) while they get the private key k is the sum of the 
operators Fc for C running over Cp,^: 

Fp,, = P3(S')P^-{<?)|a',^%,g,3,p(5',/3'| 

= Po(a)Pj{rf)%(g) ^ \aE,-'aE)aE,aE aE,aE{<^B,-'aE\ 

aEe{0,l} = 

aTe{0,l}* 

I CKfi) QJr) OR, OR OR, or (o^R 5 QJr I 

aHe{0,l}" : 
KaR=K 

where Ig is the identity operator acting on the Hilbert space describing photons 
not in S. Note that b{S) = a{S). 

Similarly, the positive operator giving the marginal probability that Alice 
and Bob publicly announce P = {a, d, e) is the sum of the operators Fc for C 
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running over Cp: 



c'eCp 

OE^lO.!}" 

aTe{0,l}* 

<8) ^ I Oh, aH)a„,aH 0^,0^(0^, Oh |. 
aH6{0,l}'' 

Eve may perform a general measurement on her probe. This general mea- 
surement can take place after Alice and Bob's public announcements and there- 
fore can be conditioned on P. We will denote by Vp the set of views v that are 
compatible with the public announcement P. The positive operator giving the 
probability that Eve gets the view v given that Alice and Bob announced P will 
be denoted by Gy\p. We will assume without loss of generality that the opera- 
tors Gy\p are of rank one, i.e. Gjj\p — \ Xv\p){Xv\p I where the vectors | Xv\p) are 
possibly not orthogonal nor normalised, but obey the relation X^ueVj. ^v\p — 1- 

5.3 The role of the validation test 

Here we show that it is very unlikely that the validation test is passed when 
the state of the photons emitted by the source is very different from the ideal 
state specified by the protocol. The underlying principle has been advanced 
in jlj, !?[ More precisely, given a possible reconciled set i?, let X\r be the 
orthogonal projection operator defined as: 

= E \^^^\ 

ce{0,l,2,3}" : 
w{ci{)>dKl1 

= ^R® E |cH)(Cfl|. 

CRe{0,l,2,3}": 
ii;(cR)>dA'/2 

The operator 11^^ projects onto Bell states for pairs of photons in R with 
weight greater than (ii<-/2 ~ ^ i) ^' '^^^ following property is then 

proved. 

Property 2 The eigenvalues of the semi-definite positive Hermitian operator 

J2 ^pFpUp, 

Pev 

where R is specified by P in the sum, are bounded from above by 

e{r) = 2~(^~''(^-Ti^))*''. 
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Proof The above operator can be written as: 



^^'^ de{0,l}": e6{0,l}°: 

w{d!)>s 'w{e)<es 

Now for given d and e, 

^Fp = Pj;{d)ls OieB Yi ^j^t Xj ^keR Xk, 



where 

Xi = |0)(0| + ^|1)(1| + ^|2)(2|, 

Yi = |3)(3| + ^|l)(l| + i|2)(2| 

are operators acting on i-th photon pair's Hilbert space. The last equahties are 
derived directly from the definition of the Bell states. As a consequence, we 
have, 



|Cb)(Cb 



2«'i(ck)+«'2(ck) , 

ch6{0,1,2}: 
w{cR)>dK/2 



Now, given d e {0, 1}", the operator: 

E ^rIE^A^^ 

e:w{e)<es \ a / 

is diagonal in the Bell basis |c). Given a vector cE {0,1,2,3}" and an error 
vector e?e {0, 1}'*, a necessary condition for the scalar: 



to be non zero is that, for all i G S, 

• Cj = if Cj = 0, 

• ej = 1 if Cj = 3, and 

• Wi{cs) + W2{cs) > e — W3(cs) + dif/2 (otherwise w(cjj) is smaller than 
dK/2). 
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Let k ~ e — W3(cs). Then there are (^™i(=s)+«'2(cs)~j g^^j^ vectors e of weight e, 
if < fc < es — W3{cs) and k < wi{cs) + W2{cs) — dxl^. Therefore, 



e:w(eXes \ a / 



< 



o{e)<e 

P/d) ^ f Wi{Cs) + W2{Cs 



E 



2Wlics)+W2{cs) Z-^ \ 

0<fe<€5— 1^3(03)5 and 
k<wi {cs)+W2(,cs)- ^ 

Now, dx is either greater or smaller than (wi(cs) + W2(cs)) (l + §(1 — e))- 

• Ifrfif > (wi(cs)+W2(cs))(l + f(l-e)),then 

wi(cs) + W2(cs) ~ < ^ (1 ~ ^(1 ~ ^)) (w^i(cs) + W2(cs)) and, 

• iidx < {wi{cs) + W2{cs)) (1 + 5(1 - e)), then 

er 



es - W3(cs) < 



1 - e 

^ _ T 
2 2*^ 



where we have used r > s(l — e) and s > wi{cs) + W2(cs) 
We thus derived that: 



(c| E nK(E^^)n«|c) 



< 



vie) 

Pd(«^) f Wi{cs) + W2{Cs) 



E 



0<k<^{l-i(l-e))(wi(cs)+W2{cs)) 



< P^(i)2-(i-''(5(i-i(i-'=))))("'i(^s)+«'2(cs)) 

< P^-{d)2~(^-''(5-ra^))7'- 

= Pd(rf>W 

where we have used the binomial inequality stating that X]o<fc<pra ik) — 2"''^^^ 
for any positive integer n and < p < 1/2. In the last inequality we have used 
the inequalities e < 1/4 and wi(cs) + W2{cs) > dx/'i, when the above scalar is 
non zero. 

Remarking that the operator ^^^^ IlijFpIIfl is diagonal in the BeU 

basis for all d and X^j*. ^(^)>s ^^d) < 1, this concludes the proof. □ 

We recall that p = ^ - ^, \ Eg) {Eg c) {c' \ in the density operator describing 
Alice and Bob's photons and Eve's probe. The above property implies that; 



Tr(lEve ® E ^rFp'^Rp) < ^ir) 



Pev 
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where lEve is the identity operator acting on the Hilbert space of the probe. 
That is, 

^P3(a)P^-{d) Yl E {Ec\Ee)<e{r). 

Per 



CESy^g, w{cR)>dK/2 

5.4 Quasi-independence of the key and the view 

In this section we compute the joint probabihty distribution of the key and the 
view. We prove that this distribution is very close to a product of an uniform 
distribution for the key and the marginal probability distribution of the view. 

Property 3 For any given eavesdropping strategy chosen by Eve and returning 
a view v, the probability distribution of the key k and the view v obeys the 
following inequality: 

EE E PM'^,v)-^Pv{v) <2[e{r) + 2^) 
PeVveVp Ke{o,i}'" 

where m is the length of the private key and r is the size of the reconciled set. 
Proof For any k G {0, 1}"*, P and v G Vp, we have: 

= Tr(G„|p Fp,s p) - ^TV(G„|P ® Fp p) 

= Ps{a)P^d) {Es'\G,\p\Es)S^,^d^ij,f), 

c^c : 

CT,c'^eXa„j, , 
CR,c'fieXaj^ 



where 



(_l)aR-(7+7') 1 



KaR=K (mod 2) 



where we have used the identity aR,aR{ctR, C(r \cr) = ^ for any Cr G Xaj^. 

We denote by: 

• G the set of all hnear combinations over {0, 1} of rows of K. It is a vector 
space of dimension m. 

• <S a subspace of {0, 1}'' that is supplement to the subspace Q, that is 
^ ® «S = {0, 1}''. The dimension of <S is r — m. 
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• /C the set of all vectors x £ {0, 1}'" such that Kx — (mod 2). The set 
/C is a vector space of dimension r ^ m, since the rows of K are linearly 
independent. We will denote by {ui, . . . , Ur-m} a basis of /C. 

Given a subspace F of {0, 1}'', we denote by F-^ the set of all vectors x G 
{0, l}*" such that ior all y £ F, x ■ y — (mod 2). Remark that K,-^ = Q. Since 
the rows of K are linearly independent, for any /? e {0, 1}™, there exists a vector 
On £ {0, ly such that KOfi = k (mod 2). It follows that Kan = k (mod 2) if 
and only if £ + K.. Thus following the techniques used in [ p^ , 

aR€{0,iy-. arteSfi+K. 
KaR — K (mod 2) 



2=1 

(_l)eK-(7+7')2'-'" if 7 + f e /C-L = 
if 7 + f 1^ a 



One obtains therefore that: 



where UvPic-i^ and VvHc-i^ are complex vectors of dimension 2'' and A is a 2'' x 2'' 
complex matrix, whose entries are indexed by 7 £ {0,1}'". The 7-th entry of 
UvKcjr and Vyj^cjT are: 



{-1)''-Hxv\pm if u;(7) <dK/2, 
ifw(7)>dK/2. 

if w{i) < dK/2, 



where c is given by c-r, and 7. The (7, 7')-th entry of A is: 

f/\\ ^ / 1 if 7 + fee\{0}, 

\ Ji^i' \ if 7 + 7'^e\{0}. 

This implies Ul^^_AUvficj^ — 0, since ^(7) < c?i<-/2 and ^(7') < c?k/2 imply 

that w(7 + 7') < dK, that is, 7 + 7' ^ ^ \ {0}. 

The matrix A is Hermitian, of eigenvalues 2™ — 1 and —1. There are 2'"^'" 
eigenvectors {x £ S) associated with the eigenvalue 2™ — 1. The 7-th entry 
of is: 

1 if 7 + X G ^ 
if 7 + f ^ ^. 
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There are 2'^™ (2™ - 1) eigenvectors vS^^s [x E a E {0, l}" \ {0}) asso- 
ciated with the eigenvahie —1. The 7-th entry of lUs.a is: 



if^+x^g. 



where for any y £ Q , cog is the unique vector in {0,1}"* such that K'^tJff = y 
(mod 2). Note that for any 7 e {0, 1}'", there is an unique {x,y) G S x Q such 
that 7 = X + y, and that: 

\ ffe{0,i}rn\{0} J 

where 1^ is the canonical vector with entry 1 at position 7 and everywhere 
else. We can express the vectors Uyfi^j^ and V^kc^- as linear combinations of 
these eigenvectors: 

^VKC^ ~ ^ ^ ( 1) ~''^V,C-^,X,kVx ~I~ ^ ^ ^~^ ( ■'-) " ~''^V,C^,X,K+ff'^X,ffi 

xes 



xes 

where for any z € {0, 1} 

4^V,C-g,X,Z 



E 



ii;(£+jr)<dK/2 



E 



(-1)^ 



■{Xv\p\Ec), 



-{Xv\p\Ec). 



yeg : 

w(x+y)>dK/2 



In deriving the above formulae, we used the identity ■ y = cog ■ k (mod 2) 
for any y G Q and k e {0, l}™. It follows that: 



EiV'.,c^,s,^i'(2"-i)iit/di'- E iV'«,c^A«+- 



xe5 



xe5 



thus. 



«e{o,i}" 



< 2" ^ [(2™ - 1) ^ |V.,c^,£,«|' + E IV'.,c^,s,.-+^ 1^ 



xe5 



= 2-+l(2™-l)5^5^|^„,e^,5,,f 
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Similarly, we have, 



Ke{o,i}'" 



xG5 k 



Now, 

EE E 

PeVveVp Ke{o,i}" 



^ E^p«(«)Pd<^l E E E [iKW^^-'^i+^it^.W^^-c 



< 2(2™ - 1) E P3(5)Pd-<rf) E E E E [iv'.,c^,5,«r + 2|c,c^a«V'.,c^,£,«i 



Or- 

where we used the Schwartz inequality, and where 

^ = E E E EEPa(«)Pcr(rfli^".c^.--'^i 

Pev veVp ses k 

^ = E EEP3(«)Pd-<'iliw^,«i^ 

PeV ^_ v^Vpx^S K 

CTeXarr 
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We derive an upper-bound on r] and ^. We have: 



V = Ep«>ip.-<'0 E EE E E 

Per 



i-iy 



CTeXa^ 



22n 



w{x+y)>dK /2 
w{x+y')>dK /2 



veVp 



E ' 



w(a+y)>dif/2 



= i E p«^(«)p.-<^l E E (^cii^c) 



Or-: xeS,yeS 
CEeYaj,, w{x+y)>dK/2 



i E Ps(«)p.-<^1 E 



Pe-p 



< — 6»(r) 



E i^o\E,) 

CEeYag, w{cR)>dK/2 



using the result of the previous section. Similarly, 



^ = 4 E P'^(«)Pd<^") E E i^ci^c) 



Per 



ceSY^e' w{cR)<dK/2 



< 



Consequently, 



EE E 

Per veVp «e{o,i}" 



< 



2 (e{r) + 2v^) 



which concludes our proof. 



□ 



5.5 Bound on the conditional entropy 

Wc conclude the proof of privacy by using the following property from classical 
information theory. 

Property 4 Let x and y be two discrete random variables taking values in the 
sets X and y respectively. Let ^ be a nonnegative real number. If the following 
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inequality is satisfied: 



E 



then the conditional entropy of x given y is lower-bounded by: 

F(x|y)>(l-/z)log2|Af|- j^M- 

Proof The hypothesis impHes that there exist a set of real numbers rix,y for 
all X G X and y G y such that: 

Pxy{x, y) = + ^^,v)^ 

{r]x,y is assigned the value zero if Py {y) = 0) obeying the inequality: 

Note that for all x and y, we have —1 < r]x,y < \X\ — 1. Now, 

H{x\y) = - P^y{x,y)log2Px\y=y{x) 
xex,yey ■■P^yix,y)>o 

1 



l0g2 \X\ 



E 



> l0g2\X 



1 

L 

xex,yey ■.ri^,y>-i 



■Py{y)^0g2{l + Vx,y) 



— In 2 



E 



In 2 



-/il0g2 \X\, 



Pyiy)Vx,yi0g2 (l+Vx.y) 



<\X\ 



which concludes the proof. 

The probability distribution of the private key and the view obeys the fol- 
lowing inequality: 



□ 



E 



Ke{o,i}'", 
vev 



PRv{i^,v) - ^Pv{v) 



< 



E E 



Per 



^£{0,1}" 



Pviv) 



E E 



Pkv{k, v) 



PAv) 



< 2(0(r) + 2 + 0. 



where we have used the fact that the key is randomly chosen by Alice with 

uniform probability distribution if the validation test is not passed. Applying 
the above property for the random variables k and v, we obtain: 

H{k\v) >m-2(m+ (e{r) + 2^/%)) , 
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which concludes the proof of privacy. □ 
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A Appendix: Error detection and correction 

We describe here how we can estimate the error rate in the sifted set S and 
then correct the discrepancies between Alice's and Bob's sifted keys using the 
interactive error-reconciliation scheme . 

Estimation of the error rate The error rate in the sifted set can be esti- 
mated by comparing a small proportion of the bits chosen randomly in 
the sifted key. The compared bits should be encrypted with the one-time 
pad method so that a potential eavesdropper learns only the positions of 
the errors. A probabilistic property such as the Hoeffding inequality can 
be used to show that the observed error rate in the sampled proportion 
is not considerably lower than the error rate in the remaining part of the 
sifted set |l^, |2^. For asymptotic size of the sifted set, one can take 
arbitrarily small but positive proportion of the sifted key for this error 
rate estimation. 
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Error correction The remaining part of the sifted set that was not sampled 
in the previous step must be corrected. One-way hnear error-correcting 
codes can be used for error correction. However, they are not very effi- 
cient and considerably higher number of redundant bits are required than 
the Shannon limit. A practical interactive correction scheme, devised by 
Brassard and Salvail gets closer to this theoretical limit. A basic 
description of the scheme follows: 

Alice and Bob group their bits into blocks of a given size, which has to be 
optimised as a function of the error rate. They exchange information about 
the parity of each block over the public channel. These parities should be 
encrypted using the one-time pad method. If their parities agree then 
they proceed to the next block. If their parities disagree, they deduce 
that there was an odd number of errors in the corresponding block, and 
search one of them recursively by cutting the block into two subblocks 
and comparing the parities of the first subblock: if the parities agree 
then the second subblock has an odd number of errors and if they do 
not, then the first subblock has an odd number of errors. Again, these 
parities should be encrypted. This procedure is continued recursively on 
the subblock with an odd number of errors. As a result of the encryption 
of the exchanged parities, a possible eavesdropper learns only the positions 
of the errors 0, |lO| . 

After this first step, every considered block has either an even number 
of errors or none. Alice and Bob then shuffle the positions of their bits 
and repeat the same procedure with blocks of bigger size (this size being 
optimised as well). However, when an error is corrected, Alice and Bob 
might deduce that some blocks treated previously now have an odd number 
of errors. They choose the smallest block amongst them and correct one 
error recursively, as before. They proceed until every previously treated 
block has an even number of errors, or none. 

Similar steps follow, and the interactive error correction terminates after 
a specified number of steps. This number is to be optimised in order to 
maximise the probability that no discrepancies remain and, at the same 
time, minimise the number of bits used for the one-time pad encryption. 
Readers are referred to the original paper [2^ for precise description and 
treatment of this scheme. 
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